Re: [Samba] DNS managment error
Wow! I'm impressed! :-) I also ensured that the domain was at 2003 native but with no improvement. When you say that in the DNS tool I configured forest wide zone replication, is that the Win DNS MMC or samba-tool? Can you be specific? That may have been my problem. Thanx, Garth On 08/28/2013 09:52 AM, Antun Horvat wrote: Hello again, I wanted to notify everybody that I managed to overcome this problem. The issue was that CN=MicrosoftDNS,DC=ForestDnsZones,... branch was missing because the Forest was operating in Windows 2000 native functional level. The thing that I did was, transfer all FSMO roles back to Windows 2003 server plugged off Samba servers, cleaned Samba server metadata and then raised the level of the domain to Windows 2003 Native. Then in the DNS tool I configured forest wide zone replication. Then i did fresh install of Samba on Linux servers and joined the them to the domain. When I was sure that all changes are being replicated across all domain controllers, I transfered all FSMO roles back to one Linux server and unplugged Windows 2003 from the network. Now I have full access to DNS services and all other levels of Domain are functional. To be exact, I still have some minor issues such as long logon times , but soon I will resolve them to. All best, Antun On 08/27/2013 09:00 PM, Antun Horvat wrote: Well that's the thing, I can only replicate DNS changes from WinDC to Samba, but not in other way. I can't even update DNS records on Samba side, only on Windows side. I managed to figure out an error on Samba caused by RPC call: dnsserver: Found DNS zone . Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=Radio101,DC=local Now I am surfing on the web trying to find some kind of solution. All best, Antun On 08/27/2013 08:46 PM, Garth Keesler wrote: Interesting. Are Forest and Domain records being replicated in both directions from all DCs? It always worked from the WinDC to the S4DC but not in the other direction. Also, were you able to use the WIN DNS MMC to examine the DNS records on any of the Samba DCs? If so, you are probably close to having it working; something I never managed to do. See ya... Garth On 08/27/2013 12:07 PM, Antun Horvat wrote: Thanks for such quick reply, I have just executed samba-tool drs showrepl command and it seems that Forest and Domain LDAP DIT are being replicated successfully. But I still doubt that it can not be fixed since all RR records that are added to w2k3 server are successfully propagated and present. All name resolution queries on samba reflect the state of w2k3 DNS. Is there some way to debug RPC calls so that we can more precisely locate the error? All best, Antun On 08/27/2013 06:40 PM, Garth Keesler wrote: This issue has been discussed at length before with no resolution to my knowledge. If you use samba-tool drs showrepl, you will probably notice that Forest and Domain DNS is not being replicated to/from all DCs. Additionally, if you use Win2003 DNS MMC, you will not be able to detect that DNS is running on the Samba DCs nor that they are DCs at all. I have only tested this using internal Samba DNS but have found no workaround and have dropped trying to use Samba to demote/replace a Win2003 DC for now. Good luck, Garth On 08/27/2013 09:58 AM, Antun Horvat wrote: Hello, i have an issue with existing installation of samba4 domain controller that is specific to dns managment. In the domain I have two samba4 4.0.7 and one windows 2003 server that I plug periodically to manage the dns. All fsmo roles are transfered to samba. All aspects of the domain work perfectly, except one, the samba-tool dns commands do not work. All commands when executed on samba server return ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') error. The same command pointed to windows server works fine. All commands that add hosts to window are replicated to samba instances. The domain is functioning at 2003 native level (reported by windows tool), but samba can't figure out the level. Also when i try to demote the w2k3 server i get the error that Active Directory could not find another domain controller to transfer the remaining data in the directory partition DC=DomainDnsZones,Dc=example,dc=com Could you please point me to the right resources so that i can resolve my current issues. Thanks in advance, and I wish best to all Samba community. ps If you need some kind of help, such as testing rc's in certain configuration, please contact me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS managment error
Many thanks! I'll give this a try. See ya... Garth On 08/28/2013 01:18 PM, Antun Horvat wrote: To clarify things a bit for others with the same problem, I will try to explain exact things that I did. Like I said, one of my issues was that the domain was functioning in level 2003 native, but the forest remained in the 2000 native functioning level. So you need to be sure that both domain and forest levels are indeed functioning in 2003 native level. If your domain and forest is not running in that level, you need to transfer all FSMO roles to your Windows server. These roles are (RID, PDC, Infrastructure, Naming master, Schema master). At that point I removed all samba servers from the domain which may not be needed, but I wanted to decrease the chance of Samba to interfere with the process of raising the level. Since I could not demote the samba for some reason from the domain, i simply stopped the Samba process on Linux servers and removed Samba metadata on windows using ntdsutil tool. You must be careful with that command since you can destroy all your domain data with it. Now with just Windows 2003 server in the domain I have simply raised the forest level and did not experience any problems with it. Next, I opened DNS MMC in Windows2003 and selected my domain zones, right clicked the zone and in options selected forest wide replication. I don't remember the exact name of the tab, but it is easily identified. Now I have reinstalled (make uninstall; make install) Samba on the Linux servers and joined them as DC's to Windows server. Now it is a good time to test replication of LDAP data between server by adding for example user1 to Windows and user2 to Linux server and see if the users are being replicated between the servers. Also check the status of samba-tool drs showrepl. Then if the data is replicating without any error using the samba-tool fsmo transfer --role=all transfer all FSMO roles to Linux server. Now wait few minutes and shutdown Windows 2003 server from the network. At this point the domain should be running just fine and everything can be based on Samba4 AD's. Now you can manage your Domain and DNS data through Windows MMC tools or through samba-tool CLI tool. Also if you experience some issue with slow logins in Domain workstations, be sure to delete ipv6 address from DNS zone, as it fixed login times in my case. If you are doing this in fully functional environment where everything is depending on your DC, and people are using workstations 24H don't worry, it can be done since I did that without any downtime. I have successfully converted old windows 2000 domain into 2003 compatible domain running only on (for now) two Samba DC's. On 08/28/2013 06:29 PM, Garth Keesler wrote: Wow! I'm impressed! :-) I also ensured that the domain was at 2003 native but with no improvement. When you say that in the DNS tool I configured forest wide zone replication, is that the Win DNS MMC or samba-tool? Can you be specific? That may have been my problem. Thanx, Garth On 08/28/2013 09:52 AM, Antun Horvat wrote: Hello again, I wanted to notify everybody that I managed to overcome this problem. The issue was that CN=MicrosoftDNS,DC=ForestDnsZones,... branch was missing because the Forest was operating in Windows 2000 native functional level. The thing that I did was, transfer all FSMO roles back to Windows 2003 server plugged off Samba servers, cleaned Samba server metadata and then raised the level of the domain to Windows 2003 Native. Then in the DNS tool I configured forest wide zone replication. Then i did fresh install of Samba on Linux servers and joined the them to the domain. When I was sure that all changes are being replicated across all domain controllers, I transfered all FSMO roles back to one Linux server and unplugged Windows 2003 from the network. Now I have full access to DNS services and all other levels of Domain are functional. To be exact, I still have some minor issues such as long logon times , but soon I will resolve them to. All best, Antun On 08/27/2013 09:00 PM, Antun Horvat wrote: Well that's the thing, I can only replicate DNS changes from WinDC to Samba, but not in other way. I can't even update DNS records on Samba side, only on Windows side. I managed to figure out an error on Samba caused by RPC call: dnsserver: Found DNS zone . Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=Radio101,DC=local Now I am surfing on the web trying to find some kind of solution. All best, Antun On 08/27/2013 08:46 PM, Garth Keesler wrote: Interesting. Are Forest and Domain records being replicated in both directions from all DCs? It always worked from the WinDC to the S4DC but not in the other direction. Also, were you able to use the WIN DNS MMC to examine the DNS records on any of the Samba DCs? If so, you are probably close to having it working; something I never managed to do
Re: [Samba] DNS managment error
This issue has been discussed at length before with no resolution to my knowledge. If you use samba-tool drs showrepl, you will probably notice that Forest and Domain DNS is not being replicated to/from all DCs. Additionally, if you use Win2003 DNS MMC, you will not be able to detect that DNS is running on the Samba DCs nor that they are DCs at all. I have only tested this using internal Samba DNS but have found no workaround and have dropped trying to use Samba to demote/replace a Win2003 DC for now. Good luck, Garth On 08/27/2013 09:58 AM, Antun Horvat wrote: Hello, i have an issue with existing installation of samba4 domain controller that is specific to dns managment. In the domain I have two samba4 4.0.7 and one windows 2003 server that I plug periodically to manage the dns. All fsmo roles are transfered to samba. All aspects of the domain work perfectly, except one, the samba-tool dns commands do not work. All commands when executed on samba server return ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') error. The same command pointed to windows server works fine. All commands that add hosts to window are replicated to samba instances. The domain is functioning at 2003 native level (reported by windows tool), but samba can't figure out the level. Also when i try to demote the w2k3 server i get the error that Active Directory could not find another domain controller to transfer the remaining data in the directory partition DC=DomainDnsZones,Dc=example,dc=com Could you please point me to the right resources so that i can resolve my current issues. Thanks in advance, and I wish best to all Samba community. ps If you need some kind of help, such as testing rc's in certain configuration, please contact me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS managment error
Interesting. Are Forest and Domain records being replicated in both directions from all DCs? It always worked from the WinDC to the S4DC but not in the other direction. Also, were you able to use the WIN DNS MMC to examine the DNS records on any of the Samba DCs? If so, you are probably close to having it working; something I never managed to do. See ya... Garth On 08/27/2013 12:07 PM, Antun Horvat wrote: Thanks for such quick reply, I have just executed samba-tool drs showrepl command and it seems that Forest and Domain LDAP DIT are being replicated successfully. But I still doubt that it can not be fixed since all RR records that are added to w2k3 server are successfully propagated and present. All name resolution queries on samba reflect the state of w2k3 DNS. Is there some way to debug RPC calls so that we can more precisely locate the error? All best, Antun On 08/27/2013 06:40 PM, Garth Keesler wrote: This issue has been discussed at length before with no resolution to my knowledge. If you use samba-tool drs showrepl, you will probably notice that Forest and Domain DNS is not being replicated to/from all DCs. Additionally, if you use Win2003 DNS MMC, you will not be able to detect that DNS is running on the Samba DCs nor that they are DCs at all. I have only tested this using internal Samba DNS but have found no workaround and have dropped trying to use Samba to demote/replace a Win2003 DC for now. Good luck, Garth On 08/27/2013 09:58 AM, Antun Horvat wrote: Hello, i have an issue with existing installation of samba4 domain controller that is specific to dns managment. In the domain I have two samba4 4.0.7 and one windows 2003 server that I plug periodically to manage the dns. All fsmo roles are transfered to samba. All aspects of the domain work perfectly, except one, the samba-tool dns commands do not work. All commands when executed on samba server return ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') error. The same command pointed to windows server works fine. All commands that add hosts to window are replicated to samba instances. The domain is functioning at 2003 native level (reported by windows tool), but samba can't figure out the level. Also when i try to demote the w2k3 server i get the error that Active Directory could not find another domain controller to transfer the remaining data in the directory partition DC=DomainDnsZones,Dc=example,dc=com Could you please point me to the right resources so that i can resolve my current issues. Thanks in advance, and I wish best to all Samba community. ps If you need some kind of help, such as testing rc's in certain configuration, please contact me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS managment error
Unfortunate since that's exactly what I saw. I've no answers but I will keep watch in hope that you have better luck solving it than I did. See ya... Garth On 08/27/2013 02:00 PM, Antun Horvat wrote: Well that's the thing, I can only replicate DNS changes from WinDC to Samba, but not in other way. I can't even update DNS records on Samba side, only on Windows side. I managed to figure out an error on Samba caused by RPC call: dnsserver: Found DNS zone . Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=Radio101,DC=local Now I am surfing on the web trying to find some kind of solution. All best, Antun On 08/27/2013 08:46 PM, Garth Keesler wrote: Interesting. Are Forest and Domain records being replicated in both directions from all DCs? It always worked from the WinDC to the S4DC but not in the other direction. Also, were you able to use the WIN DNS MMC to examine the DNS records on any of the Samba DCs? If so, you are probably close to having it working; something I never managed to do. See ya... Garth On 08/27/2013 12:07 PM, Antun Horvat wrote: Thanks for such quick reply, I have just executed samba-tool drs showrepl command and it seems that Forest and Domain LDAP DIT are being replicated successfully. But I still doubt that it can not be fixed since all RR records that are added to w2k3 server are successfully propagated and present. All name resolution queries on samba reflect the state of w2k3 DNS. Is there some way to debug RPC calls so that we can more precisely locate the error? All best, Antun On 08/27/2013 06:40 PM, Garth Keesler wrote: This issue has been discussed at length before with no resolution to my knowledge. If you use samba-tool drs showrepl, you will probably notice that Forest and Domain DNS is not being replicated to/from all DCs. Additionally, if you use Win2003 DNS MMC, you will not be able to detect that DNS is running on the Samba DCs nor that they are DCs at all. I have only tested this using internal Samba DNS but have found no workaround and have dropped trying to use Samba to demote/replace a Win2003 DC for now. Good luck, Garth On 08/27/2013 09:58 AM, Antun Horvat wrote: Hello, i have an issue with existing installation of samba4 domain controller that is specific to dns managment. In the domain I have two samba4 4.0.7 and one windows 2003 server that I plug periodically to manage the dns. All fsmo roles are transfered to samba. All aspects of the domain work perfectly, except one, the samba-tool dns commands do not work. All commands when executed on samba server return ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') error. The same command pointed to windows server works fine. All commands that add hosts to window are replicated to samba instances. The domain is functioning at 2003 native level (reported by windows tool), but samba can't figure out the level. Also when i try to demote the w2k3 server i get the error that Active Directory could not find another domain controller to transfer the remaining data in the directory partition DC=DomainDnsZones,Dc=example,dc=com Could you please point me to the right resources so that i can resolve my current issues. Thanks in advance, and I wish best to all Samba community. ps If you need some kind of help, such as testing rc's in certain configuration, please contact me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Win dcpromo and SysVol Replication
When I DCPROMO a Win2003 server into an existing Samba4.1RC1 domain with two Samba DCs, all appears to be working correctly from the Samba side but the WinDC never starts sharing SysVol as it should. Sites and Services shows all DCs as expected and forcing repl with the Samba PDC works correctly while doing that with the second Samba DC shows the following: The following error occurred during the attempt to synchronize naming context DomainDnsZones.mydomain.local from domain controller SambaDC2 to domain controller WinDC: The naming context is in the process of being removed or is not replicated from the specified server. The operation will not continue. This also affects the ability to demote the WinDC. More info available if needed. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Win 2003 DC Demotion
All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
On 07/23/2013 02:54 PM, Andrew Bartlett wrote: On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett On 07/23/2013 02:54 PM, Andrew Bartlett wrote: On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett First, thanx for the reply. I'm not exactly sure what to send so I'll send a lot. Let me know if you need more. The errors (not really errors) have to do with the fact that Forest and Domain DNS repl are one-way from WINDC to SAMBADC so when I try and demote WINDC, it refuses to demote because it believes it is the only holder of that info. Also, when I try and add the Samba DC to the Win DNS MMC, it refuses to add it because it does not detect that the Samba DC is in fact an Active Domain server. This is in spite of the fact that (some) replication does occur. root@sambadc:~# samba --version Version 4.1.0rc1 root@sambadc:~# root@sambadc:~# samba-tool drs showrepl PRR\SAMBADC DSA Options: 0x0001 DSA object GUID: 981910d4-81a9-4421-8134-4961a3c474ad DSA invocationId: c004e70f-5b8c-4dd8-b364-b1c110cd241c INBOUND NEIGHBORS DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT DC=ForestDnsZones,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT CN=Schema,CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT DC=DomainDnsZones,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT OUTBOUND NEIGHBORS DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT CN=Schema,CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT KCC CONNECTION OBJECTS Connection -- Connection name: 130d9758-a7b2-4a25-b0b7-40ce00d9ef2a Enabled: TRUE Server DNS name : windc.mydomain.com Server DN name : CN=NTDS Settings,CN=WINDC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! root@sambadc:~# root@sambadc:~# samba-tool dbcheck Checking 2290 objects ERROR: missing GUID component for ipsecOwnersReference in object CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A3},CN=IP Security,CN=System,DC=mydomain,DC=com - CN=ipsecPolicy
Re: [Samba] Win 2003 DC Demotion
On 07/23/2013 03:37 PM, Garth Keesler wrote: On 07/23/2013 02:54 PM, Andrew Bartlett wrote: On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett On 07/23/2013 02:54 PM, Andrew Bartlett wrote: On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett First, thanx for the reply. I'm not exactly sure what to send so I'll send a lot. Let me know if you need more. The errors (not really errors) have to do with the fact that Forest and Domain DNS repl are one-way from WINDC to SAMBADC so when I try and demote WINDC, it refuses to demote because it believes it is the only holder of that info. Also, when I try and add the Samba DC to the Win DNS MMC, it refuses to add it because it does not detect that the Samba DC is in fact an Active Domain server. This is in spite of the fact that (some) replication does occur. root@sambadc:~# samba --version Version 4.1.0rc1 root@sambadc:~# root@sambadc:~# samba-tool drs showrepl PRR\SAMBADC DSA Options: 0x0001 DSA object GUID: 981910d4-81a9-4421-8134-4961a3c474ad DSA invocationId: c004e70f-5b8c-4dd8-b364-b1c110cd241c INBOUND NEIGHBORS DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT DC=ForestDnsZones,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT CN=Schema,CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT DC=DomainDnsZones,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT OUTBOUND NEIGHBORS DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT CN=Schema,CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT KCC CONNECTION OBJECTS Connection -- Connection name: 130d9758-a7b2-4a25-b0b7-40ce00d9ef2a Enabled: TRUE Server DNS name : windc.mydomain.com Server DN name : CN=NTDS Settings,CN=WINDC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! root@sambadc:~# root@sambadc:~# samba-tool dbcheck Checking 2290 objects ERROR: missing GUID component for ipsecOwnersReference in object CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A3},CN=IP Security
[Samba] Samba4 PDC to Samba4 DC works great, Win2003 PDC to Samba4 DC not so great
I've posted before about this but I'll add more info. I've set up two Samba DCs in a domain, using both 4.0.7 and 4.1RC1, and all works great including Forest and Domain DNS repl in both directions. When I add a Samba 4.0.7 or 4.1RC1 DC to an existing Win2003 PDC with Forest level of 2003, Forest and Domain DNS repl is only from PDC to DC, never in the other direction. I've followed just about every thread on this topic but never with any success. This has to work in order to demote the WinPDC and use Samba as the only DCs in the domain. Has anyone successfully done this? Should this work? If not, is there another way to do this? I've even looked at LDIFDE as a possibility but I don't think that'll do it. Any help/advice greatly appreciated. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win2003 DC fails to detect Samba 4 DC
replication can cause Group Policy problems. Check the FRS event log on this DC. . SAMBADC failed test frssysvol Starting test: frsevent Error 161 opening FRS eventlog \\SAMBADC:File Replication Service: The specified path is invalid. . SAMBADC failed test frsevent Starting test: kccevent Error 161 opening FRS eventlog \\SAMBADC:Directory Service: The specified path is invalid. Failed to enumerate event log records, error The specified path is invalid. . SAMBADC failed test kccevent Starting test: systemlog Error 161 opening FRS eventlog \\SAMBADC:System: The specified path is invalid. Failed to enumerate event log records, error The specified path is invalid. . SAMBADC failed test systemlog Starting test: VerifyReferences Some objects relating to the DC SAMBADC have problems: [1] Problem: Missing Expected Value Base Object: CN=SAMBADC,OU=Domain Controllers,DC=mydomain,DC=com Base Object Description: DC Account Object Value Object Attribute Name: frsComputerReferenceBL Value Object Description: SYSVOL FRS Member Object Recommended Action: See Knowledge Base Article: Q312862 [1] Problem: Missing Expected Value Base Object: CN=NTDS Settings,CN=SAMBADC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com Base Object Description: DSA Object Value Object Attribute Name: serverReferenceBL Value Object Description: SYSVOL FRS Member Object Recommended Action: See Knowledge Base Article: Q312862 . SAMBADC failed test VerifyReferences Running partition tests on : DomainDnsZones Starting test: CrossRefValidation . DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom . DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation . Schema passed test CrossRefValidation Starting test: CheckSDRefDom . Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation . Configuration passed test CrossRefValidation Starting test: CheckSDRefDom . Configuration passed test CheckSDRefDom Running partition tests on : ForestDnsZones Starting test: CrossRefValidation . ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom . ForestDnsZones passed test CheckSDRefDom Running partition tests on : mydomain Starting test: CrossRefValidation . mydomain passed test CrossRefValidation Starting test: CheckSDRefDom . mydomain passed test CheckSDRefDom Running enterprise tests on : mydomain.com Starting test: Intersite . mydomain.com passed test Intersite Starting test: FsmoCheck . mydomain.com passed test FsmoCheck Notice the strange date/time on the repl time from the windc to the sambadc which caused a latency warning near the top of the dcdiag output. There are several other errors but they may be expected when dcdiag is run against a Samba 4.0.7 DC. Let me know if anything looks incorrect. BTW, I did check and port 53 responds to telnet on both DCs. Thanx for the help and let me know if there is anything else I can provide. Garth On 07/15/2013 11:47 AM, Matthieu Patou wrote: On 07/13/2013 02:08 PM, Garth Keesler wrote: Well, I read several threads on this issue but none solved what I have going so I'll re-ask the question: Should I be able to join a Samba 4.0.7 server to a Windows 2003R2 AD that has been raised to the forest level of 2003 and then be able to demote the Win DC? As stated below, the Win Admin tools recognize the Samba DC as one of two DCs in the domain but the Win DC will not recognize Samba as such when trying to demote the Win DC. The FSMO roles will move to the Samba server but the DNS MMC will not recognize the Samba DC as a DC either. Normally it should be the case, I would have a look at the samba box for error related to DNS (ie. impossible to bind on port 53). Which kind of DNS setup do you have ? (internal, bind 9.x dlz, flat file) ? Which DNS server ip the *nix box running Samba 4.0.x is using ? Is there an easy way to orphan the Win DC after just shutting it down? I'd be willing to do that. Yes. From the Active Directory User
[Samba] Forest and Domain DNS Replication with 2003 AD
I have been unable to get forest and domain DNS bi-directional replication working between Win2003 PDC and Samba 4.0.7 DC after having followed many threads about this topic. This is the only remaining issue with demoting the Win DC. Has anyone had any success with replicating these zones and, if so, would you mind sending me what you did to make it work? The one strange error I get is the the DNS MMC on the 2003 box will not detect that the Samba box is a valid DNS server when I try to add it to the list of DNS servers stating the it is not an Active Directory server even tho all replication is working and FSMO roles have been transferred. The Samba DC also shows up in the Admin tools on the Win DC. Any help greatly appreciated... Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Win2003 DC fails to detect Samba 4 DC
I have an (apparently) valid Samba4 DC to which I have transferred all FSMO roles in preparation for running dcpromo and demoting the Win DC. All of the logs look good on the Samba DC and showrepl indicates no errors. Unfortunately, the Win DC does not seem to detect the Samba DC when I attempt to run dcpromo and it throws a nasty warning about AD data being lost. If I run Sites and Services, both DCs show up and are viewable. Also, in Users and Computers, both DCs correctly show up in Domain Controllers. Not sure what to do next. Help appreciated. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win2003 DC fails to detect Samba 4 DC
Starting over and following a couple of threads on this topic so please ignore. Thanx, Garth On 07/13/2013 08:49 AM, Garth Keesler wrote: I have an (apparently) valid Samba4 DC to which I have transferred all FSMO roles in preparation for running dcpromo and demoting the Win DC. All of the logs look good on the Samba DC and showrepl indicates no errors. Unfortunately, the Win DC does not seem to detect the Samba DC when I attempt to run dcpromo and it throws a nasty warning about AD data being lost. If I run Sites and Services, both DCs show up and are viewable. Also, in Users and Computers, both DCs correctly show up in Domain Controllers. Not sure what to do next. Help appreciated. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win2003 DC fails to detect Samba 4 DC
Well, I read several threads on this issue but none solved what I have going so I'll re-ask the question: Should I be able to join a Samba 4.0.7 server to a Windows 2003R2 AD that has been raised to the forest level of 2003 and then be able to demote the Win DC? As stated below, the Win Admin tools recognize the Samba DC as one of two DCs in the domain but the Win DC will not recognize Samba as such when trying to demote the Win DC. The FSMO roles will move to the Samba server but the DNS MMC will not recognize the Samba DC as a DC either. Is there an easy way to orphan the Win DC after just shutting it down? I'd be willing to do that. Thanx, Garth On 07/13/2013 11:17 AM, Garth Keesler wrote: Starting over and following a couple of threads on this topic so please ignore. Thanx, Garth On 07/13/2013 08:49 AM, Garth Keesler wrote: I have an (apparently) valid Samba4 DC to which I have transferred all FSMO roles in preparation for running dcpromo and demoting the Win DC. All of the logs look good on the Samba DC and showrepl indicates no errors. Unfortunately, the Win DC does not seem to detect the Samba DC when I attempt to run dcpromo and it throws a nasty warning about AD data being lost. If I run Sites and Services, both DCs show up and are viewable. Also, in Users and Computers, both DCs correctly show up in Domain Controllers. Not sure what to do next. Help appreciated. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4.0.7 DC in Windows 2003R2 AD
Greetings, The ultimate goal is a full implementation of Samba4/OpenChange/SOGo but that onion has too many layers to shoot for the whole thing at once. So, I've added a Samba/Ubuntu12.04 DC to the AD and want to get it totally correct before proceeding with OC. I have two questions (at the moment): First, PAM is not included on the Samba DC and I need to know if it is a requirement. The docs say that, if you want to use it, just rebuild after installing the necessary PAM libs but there are a fairly large number of various flavors of PAM libraries and I could use some help selecting the right set. Second, the Samba DC is using the internal DNS and one-way sync from the PDC seems to be working but not the other way and I always get the following error when running one of the DNS tests that the docs indicate should be run. root@sambadc:~# samba-tool dns query sambadc mydomain.com @ ALL -Uadmin GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:sambadc[,sign] Password for [mydomain\admin]: ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py, line 974, in run None, record_type, select_flags, None, None) If I need to include additional info/files, let me know and I'll do so. Any help greatly appreciated. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.7 DC in Windows 2003R2 AD
Yes, the Samba server was joined to an existing Win2003R2 AD raised to the Forest Domain level following the steps outlined at https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC. Both DCs are on a local LAN so there is no FW between them and I checked that the 2003 server has no FW running. Let me know what else I can provide. Thanx, Garth On 07/09/2013 08:51 AM, Daniel Müller wrote: Did you join your samba4 to w 2003R2 AD domain? Is it a firewall feature? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Garth Keesler Gesendet: Dienstag, 9. Juli 2013 14:43 An: samba@lists.samba.org Betreff: [Samba] Samba 4.0.7 DC in Windows 2003R2 AD Greetings, The ultimate goal is a full implementation of Samba4/OpenChange/SOGo but that onion has too many layers to shoot for the whole thing at once. So, I've added a Samba/Ubuntu12.04 DC to the AD and want to get it totally correct before proceeding with OC. I have two questions (at the moment): First, PAM is not included on the Samba DC and I need to know if it is a requirement. The docs say that, if you want to use it, just rebuild after installing the necessary PAM libs but there are a fairly large number of various flavors of PAM libraries and I could use some help selecting the right set. Second, the Samba DC is using the internal DNS and one-way sync from the PDC seems to be working but not the other way and I always get the following error when running one of the DNS tests that the docs indicate should be run. root@sambadc:~# samba-tool dns query sambadc mydomain.com @ ALL -Uadmin GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:sambadc[,sign] Password for [mydomain\admin]: ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py, line 974, in run None, record_type, select_flags, None, None) If I need to include additional info/files, let me know and I'll do so. Any help greatly appreciated. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba